Bug 1767483 (CVE-2019-10086) - CVE-2019-10086 apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default
Summary: CVE-2019-10086 apache-commons-beanutils: does not suppresses the class proper...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-10086
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1767498 1772495 1772496 1776318 1777091 1781294 1781295 1781713 1781714 1781715 1781716 1781717 1782344 1782459 1782460 1782461 1782462 1809370 1809371
Blocks: 1767578
TreeView+ depends on / blocked
 
Reported: 2019-10-31 14:38 UTC by Guilherme de Almeida Suckevicz
Modified: 2020-08-04 13:15 UTC (History)
125 users (show)

Fixed In Version: apache-commons-beanutils 1.9.4
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Apache Commons BeanUtils, where the class property in PropertyUtilsBean is not suppressed by default. This flaw allows an attacker to access the classloader.
Clone Of:
Environment:
Last Closed: 2019-12-18 20:09:25 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:4317 None None None 2019-12-18 15:29:48 UTC
Red Hat Product Errata RHSA-2020:0057 None None None 2020-01-08 11:19:56 UTC
Red Hat Product Errata RHSA-2020:0194 None None None 2020-01-21 19:12:19 UTC
Red Hat Product Errata RHSA-2020:0804 None None None 2020-03-12 17:04:37 UTC
Red Hat Product Errata RHSA-2020:0805 None None None 2020-03-12 17:06:02 UTC
Red Hat Product Errata RHSA-2020:0806 None None None 2020-03-12 17:01:43 UTC
Red Hat Product Errata RHSA-2020:0811 None None None 2020-03-12 17:00:43 UTC
Red Hat Product Errata RHSA-2020:0899 None None None 2020-03-18 17:37:36 UTC
Red Hat Product Errata RHSA-2020:0951 None None None 2020-03-23 20:13:57 UTC
Red Hat Product Errata RHSA-2020:1308 None None None 2020-04-02 16:32:22 UTC
Red Hat Product Errata RHSA-2020:1454 None None None 2020-04-14 13:22:16 UTC
Red Hat Product Errata RHSA-2020:2067 None None None 2020-05-18 10:27:20 UTC
Red Hat Product Errata RHSA-2020:2321 None None None 2020-05-26 16:10:04 UTC
Red Hat Product Errata RHSA-2020:2333 None None None 2020-05-28 15:59:34 UTC
Red Hat Product Errata RHSA-2020:2619 None None None 2020-06-19 01:47:18 UTC
Red Hat Product Errata RHSA-2020:2740 None None None 2020-06-24 14:14:04 UTC
Red Hat Product Errata RHSA-2020:3192 None None None 2020-07-28 15:55:35 UTC
Red Hat Product Errata RHSA-2020:3197 None None None 2020-07-29 06:22:37 UTC
Red Hat Product Errata RHSA-2020:3247 None None None 2020-08-04 13:15:49 UTC

Description Guilherme de Almeida Suckevicz 2019-10-31 14:38:08 UTC
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.

Reference:
http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%3cC628798F-315D-4428-8CB1-4ED1ECC958E4@apache.org%3e

Comment 1 Pedro Sampaio 2019-10-31 15:12:19 UTC
Created apache-commons-beanutils tracking bugs for this issue:

Affects: fedora-all [bug 1767498]

Comment 2 Fabio Valentini 2019-10-31 15:23:30 UTC
The page for the CVE entry [0] claims that this affects versions <= 1.9.3, so 1.9.4 does not have this issue - do I understand this correctly?

If so, we can just merge the 1.9.4 update that's already in rawhide to stable fedora releases as well.

[0]: https://nvd.nist.gov/vuln/detail/CVE-2019-10086

Comment 6 Paramvir jindal 2019-11-19 17:05:52 UTC
RHSSO 7.3.4 ships commons-beanutils-1.9.3.redhat-1.jar seems to be affected as per the description. This flaw allows attacker to manipulate the class loader properties on server and I am not sure which all properties are exposed by RHSSO so creating the tracker and leaving it to dev team to take it further.

Comment 8 Kunjan Rathod 2019-11-21 09:03:25 UTC
This vulnerability is out of security support scope for the following products:
 * Red Hat Enterprise Application Platform 6
 * Red Hat Enterprise Application Platform 5
 * Red Hat JBoss Operations Network 3
 * Red Hat JBoss BPMS 6
 * Red Hat JBoss BRMS 6
 * Red Hat JBoss SOA Platform 5

Comment 9 Kunjan Rathod 2019-11-21 09:04:13 UTC
In reply to comment #8:
> This vulnerability is out of security support scope for the following
> products:
>  * Red Hat Enterprise Application Platform 6
>  * Red Hat Enterprise Application Platform 5
>  * Red Hat JBoss Operations Network 3
>  * Red Hat JBoss BPMS 6
>  * Red Hat JBoss BRMS 6
>  * Red Hat JBoss SOA Platform 5

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 17 Paramvir jindal 2019-12-11 10:06:33 UTC
Both RHDM 7.5.1 and RHPAM 7.5.1 ships commons-beanutils-1.9.3.redhat-1.jar which seems to be affected so marking them as affected and creating trackers for them :

./standalone/deployments/decision-central.war/WEB-INF/lib/commons-beanutils-1.9.3.redhat-1.jar
./standalone/deployments/business-central.war/WEB-INF/lib/commons-beanutils-1.9.3.redhat-1.jar

Comment 24 errata-xmlrpc 2019-12-18 15:29:43 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2019:4317 https://access.redhat.com/errata/RHSA-2019:4317

Comment 25 Product Security DevOps Team 2019-12-18 20:09:25 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-10086

Comment 30 errata-xmlrpc 2020-01-08 11:19:47 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:0057 https://access.redhat.com/errata/RHSA-2020:0057

Comment 31 errata-xmlrpc 2020-01-21 19:12:15 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0194 https://access.redhat.com/errata/RHSA-2020:0194

Comment 34 errata-xmlrpc 2020-03-12 17:00:38 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2020:0811 https://access.redhat.com/errata/RHSA-2020:0811

Comment 35 errata-xmlrpc 2020-03-12 17:01:37 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8

Via RHSA-2020:0806 https://access.redhat.com/errata/RHSA-2020:0806

Comment 36 errata-xmlrpc 2020-03-12 17:04:31 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6

Via RHSA-2020:0804 https://access.redhat.com/errata/RHSA-2020:0804

Comment 37 errata-xmlrpc 2020-03-12 17:05:56 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7

Via RHSA-2020:0805 https://access.redhat.com/errata/RHSA-2020:0805

Comment 39 errata-xmlrpc 2020-03-18 17:37:29 UTC
This issue has been addressed in the following products:

  Red Hat Decision Manager

Via RHSA-2020:0899 https://access.redhat.com/errata/RHSA-2020:0899

Comment 40 errata-xmlrpc 2020-03-23 20:13:51 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On

Via RHSA-2020:0951 https://access.redhat.com/errata/RHSA-2020:0951

Comment 41 errata-xmlrpc 2020-04-02 16:32:16 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.3
  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2020:1308 https://access.redhat.com/errata/RHSA-2020:1308

Comment 42 errata-xmlrpc 2020-04-14 13:22:11 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.7 for RHEL 7

Via RHSA-2020:1454 https://access.redhat.com/errata/RHSA-2020:1454

Comment 43 Chess Hazlett 2020-05-13 16:19:30 UTC
Mitigation:

There is no currently known mitigation for this flaw.

Comment 44 errata-xmlrpc 2020-05-18 10:27:12 UTC
This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes

Via RHSA-2020:2067 https://access.redhat.com/errata/RHSA-2020:2067

Comment 45 errata-xmlrpc 2020-05-26 16:09:58 UTC
This issue has been addressed in the following products:

  Red Hat Data Grid 7.3.6

Via RHSA-2020:2321 https://access.redhat.com/errata/RHSA-2020:2321

Comment 46 errata-xmlrpc 2020-05-28 15:59:29 UTC
This issue has been addressed in the following products:

  EAP-CD 19 Tech Preview

Via RHSA-2020:2333 https://access.redhat.com/errata/RHSA-2020:2333

Comment 48 errata-xmlrpc 2020-06-19 01:47:13 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.6.0 on EAP async

Via RHSA-2020:2619 https://access.redhat.com/errata/RHSA-2020:2619

Comment 49 errata-xmlrpc 2020-06-24 14:13:59 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.5 for RHEL 7

Via RHSA-2020:2740 https://access.redhat.com/errata/RHSA-2020:2740

Comment 50 errata-xmlrpc 2020-07-28 15:55:28 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.7.0

Via RHSA-2020:3192 https://access.redhat.com/errata/RHSA-2020:3192

Comment 51 errata-xmlrpc 2020-07-29 06:22:31 UTC
This issue has been addressed in the following products:

  Red Hat Process Automation

Via RHSA-2020:3197 https://access.redhat.com/errata/RHSA-2020:3197

Comment 53 errata-xmlrpc 2020-08-04 13:15:43 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.4

Via RHSA-2020:3247 https://access.redhat.com/errata/RHSA-2020:3247


Note You need to log in before you can comment on or make changes to this bug.